Rule-based application access management

ABSTRACT

A container that manages access to protected resources using rules to intelligently manage them includes an environment having a set of software and configurations that are to be managed. A rule engine, which executes the rules, may be called reactively when software accesses protected resources. The engine uses a combination of embedded and configurable rules. It may be desirable to assign and manage rules per process, per resource (e.g. file, registry, etc.), and per user. Access rules may be altitude-specific access rules.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a divisional of U.S. Ser. No. 11/977,187, entitled“RULE-BASED APPLICATION ACCESS MANAGEMENT, filed Oct. 23, 2007, whichclaims the benefit of U.S. Application No. 60/853,941 entitled“RULE-BASED APPLICATION ACCESS MANAGEMENT, filed Oct. 23, 2006, both ofwhich are incorporated herein by reference in their entireties.

BACKGROUND

Software programs, as designed and implemented by their authors, willaccess operating system resources and other applications to add, create,modify, and execute them. Periodically, there are changes made to theprogram's runtime environment, usually but not limited to the operatingsystem or another application, configuration, or a combination of these.These changes affect the software program's environment.

Changes to a program's environment can affect not only the program, butother programs as well. Thus, it may be desirable to ensure thatcontrols are in place to avoid influencing the operation of a firstapplication when changes are made by a second application. To accomplishthis goal, administrators may use, for example, one of the followingmethods 1) contain the software to a dedicated machine 2) contain thesoftware to an OS through a virtual machine, 3) sandbox the application.Approaches 1) and 2) require additional resources. Approach 3) overlyrestricts the application.

Virtualizing a software application does not work particularly well formany types of software applications, including by way of example but notlimitation productivity applications. DLLs, fonts, the registry itselfare typically intended to be viewed by many or all applications runningon a machine. For example, with respect to Microsoft Word® and AdobeAcrobat®, Acrobat may include code to put a toolbar in Word. If Word iscompletely virtualized, then Acrobat cannot add the toolbar.

These and other issues are addressed, resolved, and/or reduced usingtechniques described herein. The foregoing examples of the related artand limitations related therewith are intended to be illustrative andnot exclusive. Other limitations of the related art will become apparentto those of skill in the relevant art upon a reading of thespecification and a study of the drawings.

SUMMARY

The following embodiments and aspects thereof are described andillustrated in conjunction with systems, tools, and methods that aremeant to be exemplary and illustrative, not limiting in scope. Invarious embodiments, one or more of the above-described problems havebeen reduced or eliminated, while other embodiments are directed toother improvements.

A software container that manages access to protected resources usingrules to intelligently manage them includes an environment having a setof software and configurations that are to be managed. A rule engine,which executes the rules, may be called reactively when softwareaccesses protected resources. The engine may use a combination ofembedded and configurable rules which can include, but are not limitedto, file, user and process access control lists (ACLs), softwarehandlers, and file and resource overlays. The container, if necessary,can create virtual images of resources to manage separate views of thecontainer resources.

It may be desirable to assign and manage rules per process, per resource(e.g. file, registry, etc.), and per user. In a non-limiting embodiment,a main process and child processes of a software application may beassigned the same set of rules, which allow these processes full accessto the application resources. Alternatively, processes, especially thoseexecuting outside the application's process tree, can be individuallyassigned rules that allow, restrict, or deny access to individualresources of the application. Same or different users may or may not beallowed to have same or different sets of rules for the same ordifferent applications at the same or different times of usage. Thesesets of rules should be communicated securely to the user's machineusing encryption.

Access rules may be altitude-specific.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention are illustrated in the figures.However, the embodiments and figures are illustrative rather thanlimiting; they provide examples of the invention.

FIG. 1 depicts a flowchart of an example of a method for rule-basedaccess to resources associated with a container.

FIGS. 2A and 2B depict conceptual diagrams of an example of a system forrule-based access to resources in a container.

FIG. 3 depicts a conceptual diagram of an example of a system includingsoftware containers.

FIG. 4 depicts a flowchart of an example of a method for pausing asoftware application, running a different software application tocompletion, and restarting the pause software application.

FIG. 5 depicts an example of a system for streaming software in anenvironment that includes software containers.

FIG. 6 depicts a flowchart of an example of a method for pausing astream-enabled application.

FIG. 7 depicts a system for use with the methods described herein.

FIG. 8 depicts a device for use with the system of FIG. 7.

FIG. 9 depicts a flowchart of an example of a method for setting rulesin association with altitude.

FIG. 10 depicts a flowchart of an example of a method for implementingrules at altitudes of a multi-altitude system.

FIG. 11 depicts a flowchart of an example of a method for responding toa request for a resource in a multi-altitude system.

FIG. 12 depicts a conceptual diagram illustrating how a published accesscontrol table is used to create a runtime access control table.

DETAILED DESCRIPTION

In the following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present invention. It will be apparent, however, toone skilled in the relevant art that the present invention may bepracticed without one or more of these specific details or incombination with other components or process steps. In other instances,well-known structures and devices are shown in block diagram form inorder to avoid unnecessarily obscuring the present invention.

A technique for application access management involves running anapplication inside a container. The container may virtualize theapplication. Advantageously, the container can also partially virtualizean application or applications by “poking holes in the container” toallow other applications to access resources located in the container.Alternatively, the container may allow the application to run as if itwas not inside a container (“non-virtualized”) by giving full access toall files within the container. Using techniques described herein, anadministrator could decide on how much virtualization to allow for aparticular application, which could range from complete virtualizationto complete non-virtualization.

As a specific implementation, OpenOffice needs to be able to tell otherapplications where, for example, OpenOffice Writer files are located toenable the applications to access the Writer files. If OpenOffice isfully virtualized, then the Writer files may be hidden from otherapplications. If OpenOffice is not virtualized at all, then variousapplications that change the system environment could adversely impactOpenOffice, or vice versa. However, if OpenOffice is partiallyvirtualized, in that the system knows where certain files are located,the system can set up a “DMZ” in which, for example, file requests fromoutside applications can be serviced for selected files. Partialvirtualization can grant the benefits of both virtualization, andnon-virtualization.

For the purposes of this application, it is assumed that a containerserves to virtualize an application, and the container can have holespoked into it such that specific files can be accessed by applicationsoutside of the container. Thus, a container is capable of virtualizingan application (if no holes are poked through the container), partiallyvirtualizing the application (if some holes are poked through thecontainer), or allowing the application to run without anyvirtualization (if holes are poked through the container to everyresource in the container).

For the purposes of this application, a DMZ is a virtual area in whichresource requests of resources kept in or associated with a containerare honored or refused. The resource requests may succeed ifvirtualization associated with a relevant container does not include therequested resource (e.g., the resource is not virtualized at all), or ifthe requestor is allowed to pierce the container (e.g., the requestor isallowed access to the resource through a hole poked in the container).It should be noted that in some cases in this application, for thepurpose of example, it is assumed that a requestor requests a resourcethat exists, and that the rule-based determination as to whether tohonor the request is made at the DMZ. The rule-based determination canbe affirmative or negative depending upon the requestor.

For the purposes of this application, a requestor can be a user and/or aprocess. In an embodiment, the requestor is a user. In anotherembodiment, the requestor is a process. In another embodiment, therequestor is a user/process (e.g., rule-based decisions to grant or denyaccess to a resource consider both the requesting user and therequesting process).

FIG. 1 depicts a flowchart 100 of an example of a method for rule-basedaccess to resources associated with an application. In the example ofFIG. 1, the flowchart 100 starts at module 102 with providing acontainer, such as a software container. The container may include, forexample, one or more applications, including one or more resources (suchas, by way of example but not limitation, files) associated with theapplications. The applications may include executable files that areexecuted “inside” the container. In an embodiment, one or more of theapplications runs as the flowchart 100 continues from start to end. Inanother embodiment, a process associated with the applications islocated in memory as the flowchart 100 continues from start to end. Inother embodiments, a process associated with the applications may or maynot consume memory resources, and a application may or may not berunning, as the flowchart 100 continues from start to end. Resources mayinclude firmware resources, hardware resources, or software components,such as drivers, associated with the firmware or hardware resources.

In the example of FIG. 1, the flowchart 100 continues to module 104where rule-based access to protected resources is managed. Rule-basedaccess management can facilitate use of different runtime modelsincluding but not limited to the following: sand-boxing, overlaying, andhybrid. In the sand-boxing model, each application executes in aprotected and non-integrated environment, where resources of theapplication are not publicly visible to the system. In the overlayingmodel, each application appears publicly in the system as if it werephysically installed. Resources of the application that come intoconflicts with those of the system will be resolved such that newerresources take precedence over older ones. In the hybrid model, eachapplication also appears publicly in the system as if it is physicallyinstalled. Conflicting resources are not resolved, however, but arerestricted to access by appropriate processes only. This may letincompatible versions of the same application run side-by-side withoutinterferences.

In the example of FIG. 1, the flowchart 100 continues to module 106 withexecuting an application. The application may be associated with thecontainer introduced in module 102, a different container, or nocontainer. The application could be local or remote.

In the example of FIG. 1, the flowchart 100 continues to decision point108 where it is determined whether a resource is requested from a DMZ.For illustrative purposes, it is assumed that the application willrequest one or more resources. The DMZ may be associated with resourcesin the container introduced in module 102 or with resources in adifferent container. If the requested resource is not associated with aDMZ (108-N), then the flowchart 100 continues to module 110 where therequested resource is provided, assuming the resource is available,according to known or convenient techniques, and the flowchart 100returns to module 106 where execution of the application continues. If,on the other hand, the requested resource is associated with the DMZ(108-Y), then the flowchart 100 continues to decision point 112 where itis determined whether rule-based access is granted to the applicationfor the resource in the DMZ.

If it is determined that rule-based access is granted (112-Y), then theflowchart 100 continues to module 114 where the resource is provided,then the flowchart 100 continues to module 106 where execution of theapplication continues. If, on the other hand, it is determined thatrule-based access is not granted (112-N), then the flowchart 100continues to module 116 where access to the resource is restricted andto decision point 118 where it is determined whether the applicationends. Whether the application ends at this point may depend upon how theapplication reacts to having access to a resource restricted. Forexample, the application may end if it does not receive a requestedresource and could even “crash” if implementation is not robust. In thiscase, it would be determined at decision point 118 that the applicationends (118-Y) and the flowchart 100 ends. As another example, theapplication may be able to recover from having access to a resourcerestricted by requesting an alternative resource, attempting to“rephrase” the resource request with a different request (e.g., afterasking a software or human agent to perform an act), or proceedingwithout the requested resource. In this case, it would be determined atdecision point 118 that the application does not end (118-N) and theflowchart 100 continues to module 106 where execution of the applicationcontinues.

FIGS. 2A and 2B depict conceptual diagrams of an example of a system 200for rule-based access to resources in a container. In the example ofFIGS. 2A and 2B, the system 200 includes a requestor 202, a DMZ 204, anda software container 206. In an embodiment, the requestor 202 isidentifiable as a user, a process, or a combination of user and process.The DMZ 204 includes, for illustrative purposes only, a table thatcorrelates the requestor to a resource. Instead of a table, a known orconvenient structure could be used to manage access rules. The DMZ mayinclude rules associated with multiple requestors, resources inside thecontainer 206 or another container (not shown) and may have rules otherthan accept/deny (as shown in the FIGS. 2A and 2B), such as “read-only,”“verify,” or other rules. The container 206 includes resource 208-1 to208-N (collectively referred to as resources 208). Resources may includea known or convenient software, firmware, or hardware component. In anembodiment, the resources include software components such as softwaredrivers for driving hardware components. When specifically referring toa container that includes software resources, including software driversand the like, the container may be referred to as a software container.

In the example of FIG. 2A, the requestor 202 sends a request for, forthe purpose of illustration, the resource 208-1 (Resource 1). Therequest is intercepted or viewed by the DMZ 204, where a rule is checkedto ensure that the requestor 202 is allowed access to Resource 1. In theexample of FIG. 2A, for the purpose of illustration, the requestor 202is allowed access to Resource 1. Since the requestor 202 is allowedaccess, the request is forwarded from the DMZ 204 to the softwarecontainer 206. It should be noted that, depending upon the embodiment orimplementation, the DMZ 204 may or may not actually receive the request.For example, the DMZ could allow the requestor 202 to request therelevant resource directly if rule-based access is allowed.Alternatively, the DMZ may, for example, send a message to the softwarecontainer 206 (rather than forward the request), indicating that aresource should be provided to the requestor 202. In yet anotheralternative, requests can be hooked by the DMZ 204, using file hooks.The DMZ 204 can then analyze the request and either allow access to theresource or deny access. There are certain advantages to file hooking,some of which are described later with reference to FIG. 5. In any case,at some point, if rule-based access is allowed, requestor 202 gainsaccess to Resource 1.

FIG. 2A is intended, by the arrow from the resource 208-1 to therequestor 202, to symbolize read access to Resource 1. FIG. 2B isintended, by the arrow from the requestor 202 to the resource 208-1, tosymbolize write access to Resource 1. The arrow could also bebi-directional (not shown) to symbolize read/write access to Resource 1.Although Resource 1 is depicted as existing prior to the request, it maybe possible, in an embodiment, for the requestor 202 to create aresource and place it into the container 206. A rule may be modified,created, adopted, or otherwise used at the DMZ 204 to allow subsequentaccess by the requestor 202, access by another requestor (not shown), orsome other type of access.

FIG. 3 depicts an example of a system 300 for a partially virtualizedenvironment. In the example of FIG. 3, the system 300 includes aplurality of software containers 302-1 to 302-N (collectively referredto as software containers 302), a rule engine 304, and a process 306. Inan embodiment, each of the software containers 302 includes anenvironment having a set of software and configurations that are to bemanaged. For illustrative purposes, in the example of FIG. 3, thesoftware container 302-1 includes one or more resources 308 and aprocess 310, the software container 302-2 includes a process 312, andthe software container 302-N includes one or more resources 314. It maybe noted that software containers as described herein may include zeroor more processes and/or zero or more resources. The software containers302, if necessary, can create virtual images of resources to manageseparate views of container resources. In this way, a softwareapplication can be insulated from changes to the runtime environment forother programs. Similarly, other programs can be insulated from changesto the runtime environment made in association with the softwareapplication.

In an embodiment, the rule engine 304 is called reactively when softwareaccesses resources from outside or within the container. The rule engine304 may use, for example, a combination of embedded and configurablerules which can include by way of example but not limitation, file,user, and process access control lists (ACLs), software handlers, andfile and resource overlays. Rules may be assigned and managed, forexample, per process, per resource (e.g. file, registry, etc.), and peruser. In a non-limiting embodiment, a main process and child processesof a software application may be assigned the same set of rules, whichallow these processes full access to the application resources.Alternatively, processes, especially those executing outside theapplication's process tree, can be individually assigned rules thatallow, restrict, or deny access to individual resources of theapplication. Same or different users may or may not be allowed to havesame or different sets of rules for the same or different applicationsat the same or different times of usage. These sets of rules may becommunicated securely to the user's machine using encryption.

The rule engine 304 may be local or remote with respect to one or moreof the software containers 302 (or portions thereof) and/or the process306. Alternatively, the software containers 302 may include the ruleengine 304, either distributively, redundantly, or by having relativeglobal access.

For illustrative purposes, the process 306 is outside of a softwarecontainer. It may be noted that the process 306 could be local or remotewith respect to one or more of the software containers 302 (or portionsthereof). It should be noted that, in an embodiment, all local processesare located inside one or more of the software containers 302.

In the example of FIG. 3, the process 306 is depicted as accessing therule engine 304. For illustrative purposes, the access to the ruleengine 304 is represented as a uni-directional arrow from the process306 to the rule engine 304, which implies the process 306 provides datato the rule engine 304. The rule engine 304 determines whether the datais sufficient to determine that access to the resources 308 is allowed,and sends permission to the software container 302-1, which can allowaccess to the resources 308.

In the example of FIG. 3, the process 306 is depicted as accessing oneor more of the resources 308 that are located within the softwarecontainer 302-1. For illustrative purposes, access to one or more of theresources 308 is represented as a uni-directional arrow from theresources 308 to the process 306. While this may imply a read access, itshould be noted that, depending upon the process, resource, rules,and/or implementation, the access could be read, write, or read/writeaccess.

In operation, the process 306 provides data to the rule engine 304(e.g., in the form of a request for resources 308), which in turninforms the software container 302-1 that one or more of the resources308 should be made available to the process 306. This description may beconsidered a basic generalization for other implementations.

In an example of an implementation, the communications between the ruleengine 304 and the process 306 could be interception-based. In such anembodiment, the rule engine 304 may use a file system hook to intercepta request for resources 308 from the process 306. (One example of animplementation of a file system hook is a filter driver.) In thisembodiment, the uni-directional arrow from the process 306 to the ruleengine 304 represents the interception of a request for the resources308 from the process 306. Another example of an interception basedtechnique may incorporate a virtual drive, as described in U.S. Pat. No.6,453,334, issued on Sep. 17, 2002, to Vinson et al., which isincorporated herein by reference. Any known or convenientinterception-based technique could potentially be used.

In the example of FIG. 3, the process 310 is located within the softwarecontainer 302-1, and accesses the resources 308. In an embodiment, theprocess 310, although it is located within the same container as theresources 308, may be treated as if it were not so located. For example,the process 310 may send a request for resources 308 to (or have therequest intercepted by) the rule engine 304, the rule engine 304 informsthe software container 302-1, and the software container 302-1 gives theprocess 310 access to the resources 308. Alternatively, it may bedesirable to allow the process 310 access to the resources 308 withoututilizing the rule engine 304. For example, anything within the softwarecontainer 302-1 could be considered “safe.” In such an embodiment, theprocess 310 may be able to access the resources 308 without having therequest intercepted, while the process 306 may have requests interceptedand analyzed.

In the example of FIG. 3, the process 312 is located within the softwarecontainer 302-2, and accesses the resources 308. The access could be asdescribed previously (through the rule engine 304), or the process 312could be considered “safe” since it is located within a softwarecontainer 302-2, albeit a different software container than that of theresources 308. In an embodiment, each of the software containerslogically includes the rule engine 304. So, the process 312 could have arequest intercepted logically within the software container 302-2. Itmay be desirable to include rules that treat requests for resources thatoriginate from within a software container differently than requeststhat originate from outside of any software container (such as requestsfrom the process 306). For example, if the process 312 is refused writeaccess to the resources 308, the software container 302-2 may includeinstructions to copy some or all of the resources 308 into the softwarecontainer 302-2 for modification by the process 312. It should be notedthat even in the case of the process 306, which is logically outside ofa software container, resources could be copied for local modification.

FIG. 4 depicts a flowchart 400 of an example of a method for pausing asoftware application, running a different software application tocompletion, and restarting the pause software application. By usingrule-based access management techniques as described herein, theproblems associated with pausing a software application to run anothersoftware application, such as by making changes to the runtimeenvironment, are reduced or eliminated.

In the example of FIG. 4, the flowchart 400 starts at module 402 where afirst software application is executed in a first runtime environment.The flowchart 400 continues to module 404 where a timer is set. Settingthe timer is intended to help illustrate the value of using a softwarecontainer in a specific implementation. The flowchart 400 continues tomodule 406 where a software container manages rule-based access toprotected resources associated with the first software application.

In the example of FIG. 4, the flowchart 400 continues to decision point408 where it is determined whether the timer has expired. If it isdetermined that the timer has not expired (408-N), then the flowchart400 loops from module 406 to decision point 408 until the timer expires.If, on the other hand, it is determined that the timer has expired(408-Y), then the flowchart 400 continues to module 410 where the firstsoftware application is paused.

The flowchart 400 continues to module 412 where a second softwareapplication is run to completion. In an embodiment, the second softwareapplication is run in a second runtime environment that is nearlyidentical (initially) to the first runtime environment. However, thesecond software application is unable to make changes to the firstruntime environment (unless exceptions are made) for the first softwareapplication because the first software application is maintained withina software container. Accordingly, when the second software applicationends, the first software application resumes execution in the firstruntime environment. It may be noted that in an alternative embodimentthe second software application could instead run concurrently with thefirst software application, but in a second runtime environment.

The flowchart 400 continues to module 414 where execution of the firstsoftware application is resumed. The flowchart 400 continues to module416 where the timer is reset, then the flowchart 400 continues to module406, as described previously. Using this technique, a computer executinga first application could begin executing a second applicationperiodically (at a frequency that is dependent upon the length of thetimer).

In the example of FIG. 4, a timer is the trigger for execution of asecond application. However, the trigger could be just about any event.For example, in a game, the trigger could be advancement to a new level,access to a particular file, receiving a particular key-stroke orkey-stroke sequence, or some other trigger associated with the game.With enterprise or productivity software, the trigger could be similar,but might also include triggers such as noon (lunchtime), 6:00 (workover), or Friday (payroll) triggers, attempting to access a particularfeature or function, or when a file is going to be requested in astreaming context.

A system can freeze an application by telling the Operating System tolock up and pause the application. It may be difficult to freeze verylow level (e.g., disk driver) applications. If it becomes necessary tofreeze low level applications, the applications can be “virtually”frozen within a software container. Some applications depend upon asystem clock, which, if frozen, could cause them to crash. So it may bedesirable to maintain an internal clock within a software container thatserves as a system clock for internal processes, which can be frozen.Some applications are specially designed for excellent performance. Thisis relatively common with games, so game designers often use shortcutsand programming techniques on an as-needed basis. These shortcuts makefreezing the game even more problematic. Moreover, some games have codethat try to prevent interjecting other items into the game, which couldmake it even worse. Therefore, in particular contexts, it may bedesirable to fix quirks that occur frequently (or even infrequently) inprograms to make freezing the application work better.

Streaming software applications normally pause when they are beingstreamed (to wait for download of a required block), so freezingsoftware applications is a relatively straight-forward the techniquesdescribed herein. For example, a stream-enabled client shell may capturea runtime environment. So the client shell could be told to hold a blockassociated with a first stream-enabled software application until asecond software application has been executed.

FIG. 5 depicts an example of a system 500 for streaming software in anenvironment that includes software containers. In the example of FIG. 5,the system 500 includes a network 502, a streaming client 510, and astreaming server 530. In operation, the streaming client 510 requests,through the network 502, one or more blocks for streaming from thestreaming server 530. The streaming server 530 returns the requestedblocks to the streaming client 510.

It may be noted that blocks may be provided to the streaming client 510without being requested. For example, the streaming server 530 couldpredictively stream a stream-enabled application to the streaming client510, such as is described by way of example but not limitation in U.S.patent application Ser. No. 10/988,014, filed Nov. 11, 2004, by DeVries,which is incorporated by reference.

It may be noted that the streaming server 530 could instead be a mediadevice from which blocks are streamed, such as is described by way ofexample but not limitation in U.S. patent application Ser. No.11/273,862, filed Jun. 8, 2006, by DeVries et al., which is incorporatedby reference. As such, the network 502 could be considered optional, orin the alternative, a known or convenient means for coupling thestreaming client 510 to the streaming server 530 could be used.

In the example of FIG. 5, the streaming client 510 includes a clientshell 512, streaming software containers 514-1 to 514-N (collectivelyreferred to as streaming software containers 514), and a triggerdatabase 516. The streaming software container 514-1 includes a subsetof first stream-enabled application blocks 518, and the streamingsoftware container 514-2 includes a subset of second stream-enabledapplication blocks 520. In the example of FIG. 5, the streaming server530 includes a block server 532, first stream-enabled application blocks534, and second stream-enabled application blocks 536.

In an embodiment, the client shell 512 provides a virtual environment inwhich stream-enabled applications can run even if they are not entirelydownloaded. Stream-enabled applications may be maintained within thestreaming software containers 514. This may mean that the virtualenvironment of the client shell 512, which may include registryoverlays, file system overlays, spoofed registries, spoofed directories,spoofed environment variables, and/or other components that serve tovirtualize the environment, may be different from the runtimeenvironment associated with one or more of the streaming softwarecontainers 514. However, the client shell 512 may not include a virtualenvironment at all if the virtual environment typically needed forstreaming software is contained within each of the streaming softwarecontainers 514. Indeed, the client shell 512 could be partially orentirely subsumed by the streaming software containers 514. This is animplementation decision.

In the example of FIG. 5, in operation, a first application associatedwith the subset of first stream-enabled application blocks 518, is runin the client shell 512. As the first application runs, it may need anadditional block that is not included in the subset of firststream-enabled application blocks 518. The streaming client 510, onbehalf of the client shell 512, sends a request for the desired blockthrough the network 502 to the streaming server 530. At the streamingserver 530, the block server 532 accesses the requested block from thefirst stream-enabled application blocks 534, and returns the requestedblock to the streaming client 510. In this way, the first applicationcan continue to run, requesting blocks as needed.

It may be desirable to pause the first application. In the example ofFIG. 5, the trigger database 516 is intended to represent the collectionof events that may trigger pausing the first application to perform someother action, such as running a second application. The trigger database516 may include global triggers (such as forced execution of the secondapplication at a pre-determined time), local triggers, and/orapplication-specific triggers (such as requesting a particular block fora stream-enabled application).

In operation, if the client shell 512 detects an event that is in thetrigger database 516, execution of the first application may besuspended. Since the first application is maintained in a softwarecontainer, the runtime environment of the first application can besubstantially maintained. A first block of the second application canthen be requested, using the same mechanisms described previously. Atthe streaming server 530, the block server 532 accesses the requestedblock from the second stream-enabled application blocks 536 and returnsthe requested block. The requested block can then be added to the subsetof second stream-enabled application blocks 520 of the streamingsoftware container 514-2. It should be noted that one or more of theblocks associated with the second application could be pre-stored in thesubset of second stream-enabled application blocks 520. This could occurwell in advance (e.g., the blocks could be downloaded at the same timethe blocks associated with the first application are downloaded), or onthe fly (e.g., a trigger could force a download of blocks associatedwith the second application, but the first application could be pausedlater, after a sufficient number of blocks associated with the secondapplication have been downloaded). Moreover, the first application orthe second application need not even be stream-enabled. Alternatively,the first application could be a stream-enabled application, but thesecond application could be streaming media. (Note: Streaming media isactually not a stream-enabled application since the streaming media isnot executable). Assuming the second application is maintained in astreaming software container, as depicted in FIG. 5, the secondapplication could be paused while the first application (or some otherapplication) is executed.

FIG. 6 depicts a flowchart 600 of an example of a method for pausing astream-enabled application. The flowchart 600 starts at module 602 withdownloading a block associated with a stream-enabled application. It maybe noted that in some streaming software implementations, the first“block” includes registry data, file system data, environment variabledata, and/or other data that is used to set up a virtual environment inwhich a stream-enabled application associated with the first block canbe executed. It may or may not be the case that the first block isdifferent from all of the other blocks in that it is required, in thatit is a different size, or in some other way. For illustrative purposes,and because it is not necessary for an understanding of the techniquesdescribed herein, all blocks are treated equally.

The flowchart 600 continues to decision point 604 where it is determinedwhether a sufficient number of blocks are available to execute thestream-enabled application. In an embodiment, the first block alone issufficient. In other embodiments, two or more blocks must be downloadedbefore the stream-enabled application is executable. It may be notedthat a stream-enabled application may be executable after a certainnumber of blocks have been downloaded in one implementation, but that inanother implementation the number of blocks may be more or less. Thismay be, for example, due to performance issues (it may be desirable towait for more blocks because if the application is executed early itwill run slowly) or due to locally available resources that need not bedownloaded.

If it is determined that a sufficient number of blocks have not beendownloaded (604-N), then the flowchart 600 continues to module 602, andrepeats until a sufficient number of blocks have been downloaded. Whenit is determined that a sufficient number of blocks have been downloaded(604-Y), the flowchart 600 continues to module 606 where thestream-enabled application is executed. Then the flowchart 600 continuesto decision point 608 where it is determined whether a trigger eventoccurs.

If it is determined that a trigger event occurs (608-Y), then theflowchart 600 continues to module 610 where the stream-enabledapplication is paused, to module 612 where an alternative is played, andto decision point 614 where it is determined whether the alternativeends. If it is determined that the alternative does not end (614-N),then the flowchart 600 continues to module 612 where the alternativecontinues to play until it ends. When it is determined that thealternative ends (614-Y), the flowchart continues to module 616 whereexecution of the stream-enabled application resumes.

If it is determined that a trigger event does not occur (608-N), or ifthe flowchart 600 continues from module 616, the flowchart 600 continuesto decision point 618 where it is determined whether more blocks areneeded to run the stream-enabled application. If it is determined thatadditional blocks are not needed (618-N), the flowchart 600 continues todecision point 620 where it is determined whether the stream-enabledapplication ends. The flowchart 600 ends if the stream-enabledapplication ends (608-Y), and returns to decision point 608 if thestream-enabled application does not end (608-N). If it is determinedthat additional blocks are needed (618-Y), then the flowchart 600continues to module 620 where additional blocks are downloaded, tomodule 622 where execution of the stream-enabled application continues,and to decision point 608, as described previously.

The following description of FIGS. 7 and 8 is intended to provide anoverview of computer hardware and other operating components suitablefor performing techniques described herein, but is not intended to limitthe applicable environments. Similarly, the computer hardware and otheroperating components may be suitable as part of the apparatuses oftechniques described herein. The techniques can be implemented on othercomputer system configurations, including hand-held devices,multiprocessor systems, microprocessor-based or programmable consumerelectronics, network PCs, minicomputers, mainframe computers, and thelike. The techniques can also be implemented in distributed computingenvironments where tasks are performed by remote processing devices thatare linked through a communications network.

FIG. 7 depicts a networked system 700 that includes several computersystems coupled together through a network 702, such as the Internet.The term “Internet” as used herein refers to a network of networks whichuses certain protocols, such as the TCP/IP protocol, and possibly otherprotocols such as the hypertext transfer protocol (HTTP) for hypertextmarkup language (HTML) documents that make up the World Wide Web (theweb). The physical connections of the Internet and the protocols andcommunication procedures of the Internet are well known to those ofskill in the art.

The web server 704 is typically at least one computer system whichoperates as a server computer system and is configured to operate withthe protocols of the world wide web and is coupled to the Internet. Theweb server system 704 can be a conventional server computer system.Optionally, the web server 704 can be part of an ISP which providesaccess to the Internet for client systems. The web server 704 is showncoupled to the server computer system 706 which itself is coupled to webcontent 708, which can be considered a form of a media database. Whiletwo computer systems 704 and 706 are shown in FIG. 7, the web serversystem 704 and the server computer system 706 can be one computer systemhaving different software components providing the web serverfunctionality and the server functionality provided by the servercomputer system 706, which will be described further below.

Access to the network 702 is typically provided by Internet serviceproviders (ISPs), such as the ISPs 710 and 716. Users on client systems,such as client computer systems 712, 718, 722, and 726 obtain access tothe Internet through the ISPs 710 and 716. Access to the Internet allowsusers of the client computer systems to exchange information, receiveand send e-mails, and view documents, such as documents which have beenprepared in the HTML format. These documents are often provided by webservers, such as web server 704, which are referred to as being “on” theInternet. Often these web servers are provided by the ISPs, such as ISP710, although a computer system can be set up and connected to theInternet without that system also being an ISP.

Client computer systems 712, 718, 722, and 726 can each, with theappropriate web browsing software, view HTML pages provided by the webserver 704. The ISP 710 provides Internet connectivity to the clientcomputer system 712 through the modem interface 714, which can beconsidered part of the client computer system 712. The client computersystem can be a personal computer system, a network computer, a web TVsystem, or other computer system. While FIG. 7 shows the modem interface714 generically as a “modem,” the interface can be an analog modem, isdnmodem, cable modem, satellite transmission interface (e.g. “direct PC”),or other interface for coupling a computer system to other computersystems.

Similar to the ISP 714, the ISP 716 provides Internet connectivity forclient systems 718, 722, and 726, although as shown in FIG. 7, theconnections are not the same for these three computer systems. Clientcomputer system 718 is coupled through a modem interface 720 whileclient computer systems 722 and 726 are part of a LAN 730.

Client computer systems 722 and 726 are coupled to the LAN 730 throughnetwork interfaces 724 and 728, which can be Ethernet network or othernetwork interfaces. The LAN 730 is also coupled to a gateway computersystem 732 which can provide firewall and other Internet-relatedservices for the local area network. This gateway computer system 732 iscoupled to the ISP 716 to provide Internet connectivity to the clientcomputer systems 722 and 726. The gateway computer system 732 can be aconventional server computer system.

Alternatively, a server computer system 734 can be directly coupled tothe LAN 730 through a network interface 736 to provide files 738 andother services to the clients 722 and 726, without the need to connectto the Internet through the gateway system 732.

FIG. 8 depicts a computer system 740 for use in the system 700 (FIG. 7).The computer system 740 may be a conventional computer system that canbe used as a client computer system or a server computer system or as aweb server system. Such a computer system can be used to perform many ofthe functions of an Internet service provider, such as ISP 710 (FIG. 7).

In the example of FIG. 8, the computer system 740 includes a computer742, I/O devices 744, and a display device 746. The computer 742includes a processor 748, a communications interface 750, memory 752,display controller 754, non-volatile storage 756, and I/O controller758. The computer system 740 may be couple to or include the I/O devices744 and display device 746.

The computer 742 interfaces to external systems through thecommunications interface 750, which may include a modem or networkinterface. It will be appreciated that the communications interface 750can be considered to be part of the computer system 740 or a part of thecomputer 742. The communications interface can be an analog modem, isdnmodem, cable modem, token ring interface, satellite transmissioninterface (e.g. “direct PC”), or other interfaces for coupling acomputer system to other computer systems.

The processor 748 may be, for example, a conventional microprocessorsuch as an Intel Pentium microprocessor or Motorola power PCmicroprocessor. The memory 752 is coupled to the processor 748 by a bus760. The memory 752 can be dynamic random access memory (DRAM) and canalso include static ram (SRAM). The bus 760 couples the processor 748 tothe memory 752, also to the non-volatile storage 756, to the displaycontroller 754, and to the I/O controller 758.

The I/O devices 744 can include a keyboard, disk drives, printers, ascanner, and other input and output devices, including a mouse or otherpointing device. The display controller 754 may control in theconventional manner a display on the display device 746, which can be,for example, a cathode ray tube (CRT) or liquid crystal display (LCD).The display controller 754 and the I/O controller 758 can be implementedwith conventional well known technology.

The non-volatile storage 756 is often a magnetic hard disk, an opticaldisk, or another form of storage for large amounts of data. Some of thisdata is often written, by a direct memory access process, into memory752 during execution of software in the computer 742. One of skill inthe art will immediately recognize that the terms “machine-readablemedium” or “computer-readable medium” includes any type of storagedevice that is accessible by the processor 748 and also encompasses acarrier wave that encodes a data signal.

Objects, methods, inline caches, cache states and other object-orientedcomponents may be stored in the non-volatile storage 756, or writteninto memory 752 during execution of, for example, an object-orientedsoftware program.

The computer system 740 is one example of many possible computer systemswhich have different architectures. For example, personal computersbased on an Intel microprocessor often have multiple buses, one of whichcan be an I/O bus for the peripherals and one that directly connects theprocessor 748 and the memory 752 (often referred to as a memory bus).The buses are connected together through bridge components that performany necessary translation due to differing bus protocols.

Network computers are another type of computer system that can be used.Network computers do not usually include a hard disk or other massstorage, and the executable programs are loaded from a networkconnection into the memory 752 for execution by the processor 748. A WebTV system, which is known in the art, is also considered to be acomputer system according to the present invention, but it may lack someof the features shown in FIG. 8, such as certain input or outputdevices. A typical computer system will usually include at least aprocessor, memory, and a bus coupling the memory to the processor.

In addition, the computer system 740 is controlled by operating systemsoftware which includes a file management system, such as a diskoperating system, which is part of the operating system software. Oneexample of an operating system software with its associated filemanagement system software is the family of operating systems known asWindows® from Microsoft Corporation of Redmond, Wash., and theirassociated file management systems. Another example of operating systemsoftware with its associated file management system software is theLinux operating system and its associated file management system. Thefile management system is typically stored in the non-volatile storage756 and causes the processor 748 to execute the various acts required bythe operating system to input and output data and to store data inmemory, including storing files on the non-volatile storage 756.

FIG. 9 depicts a flowchart 900 of an example of a method for settingrules in association with altitude. In the example of FIG. 9, theflowchart 900 starts at module 902 where resources are displayed. Theresources may be displayed in a user interface (UI) or a graphical UI(GUI). Resources may include files and registry keys. Environmentvariables are, in some cases, treated much like resources. In general,in this paper, environment variables are only explicitly distinguishedfrom resources when a distinction is required or desired. Each resourcein the display has associated parameters that are also displayed, suchas an altitude, access control rules for the altitude, and securitysettings.

In the example of FIG. 9, the flowchart 900 continues to module 904where altitude for a set of the resources are adjusted. Initially,resources may have a default altitude value, such as 0, the highestaltitude (which can be practically any number, though, for illustrativesimplicity, we assume the number in any given implementation will be awhole number), or some number in between. By adjusting the altitude of aresource, the resource is tuned at a particular altitude. For example,if the default altitude is 0, it may be desirable to adjust the altitudeof the resource to some higher, more secure level.

In the example of FIG. 9, the flowchart 900 continues to module 906where altitude access control rules are provided at the altitudeselected for the resources. The access control rules may be provided asa default value, and the access control rules may be adjusted from thedefault value. Access control rules may vary depending upon theimplementation or embodiment of a particular system, and may include, byway of example but not limitation, accept, pause, or pass through. Theseaccess control types are described later with reference to FIG. 11.

In the example of FIG. 9, the flowchart 900 continues to module 908where security settings are provided for each resource at the altitude.The security settings may be provided as a default value, and thesecurity settings may be adjusted from the default value. Securitysettings may include, by way of example but not limitation, find, read,or write settings. There may be other settings as well, such as modify,but modify could be considered to be a subset of write.

In the example of FIG. 9, the flowchart 900 ends after a set of theresources are put on a particular altitude, and the access control rulesand security settings are adjusted at that altitude, assuming thedefaults are not accepted. In this way, a program may or may not haveresources at more than one altitude.

FIG. 10 depicts a flowchart 1000 of an example of a method forimplementing rules at altitudes of a multi-altitude system. In theexample of FIG. 10, the flowchart 1000 starts at module 1002, where aninitial altitude is determined. For illustrative purposes, the initialaltitude is assumed to be the highest altitude implemented on a system.Depending upon the implementation, the initial value altitude could bestarted at some altitude lower than the highest altitude, such as if,for example, a program being implemented has no resources in the highestaltitude. In any case, the flowchart 1000 will logically work,regardless of the actual initial altitude, if it is assumed the initialaltitude is the highest altitude.

In the example of FIG. 10, the flowchart 1000 continues to decisionpoint 1004 where it is determined whether the altitude is 0. Forillustrative purposes, altitude 0 is assumed to be the lowest (e.g.,physical or hardware) altitude. It may be noted that a standard filesystem is equivalent to a system that has only altitude 0. Therefore,adjusting the system to include a new program is accomplished in aconventional manner, as described in modules 1006-1010.

If it is determined that the altitude is 0 (1004-Y), then the flowchart1000 continues to module 1006 where files are written to the system, tomodule 1008 where the registry is changed appropriately, and to module1010 where the environment is updated. Updating the environmenttypically involves setting environment variables, and may include otherknown or convenient processes or settings. Having installed or virtuallyinstalled a program, the flowchart 1000 ends.

If, on the other hand, it is determined that the altitude is not 0(1004-N), then the flowchart 100 continues to module 1012 whereselective hooks are set up for files. Advantageously, the hooks areselective depending upon the altitude, resource, and requestor. Forexample, a requestor may have access to a resource at a given altitude,but not at some other altitude. Or a resource may only allow certaintypes of access at a given altitude, regardless of requestor ID.

In the example of FIG. 10, the flowchart 1000 continues to module 1014where registry hooks are set up. Registry hooks may be useful whenvirtualizing or streaming a software application. Essentially, you can“trick” a system into believing that an application is installed evenwhen it is not.

In the example of FIG. 10, the flowchart 1000 continues to module 1016where an environment is simulated. Although this may involve settingenvironment variables, the environment variables are set only at thecurrent altitude. Thus, the environment variables may be referred to asaltitude-specific environment variables, or, more generally, simulatedor virtual environment variables.

In the example of FIG. 10, the flowchart 1000 continues to module 1018where the altitude is decremented. Then the flowchart 1000 continues todecision point 1004 as described previously, and continues to loop untilaltitude 0 is reached.

Advantageously, the method of FIG. 10 can be used to implementresources, or to update resources. For example, if a patch for a programis needed, the patch may implement hooks and environment variables on anas-needed basis. Also, resources can be dynamically lowered in altitudein response to particular stimuli. For example, a demo program could bevirtually installed on a machine, enabling sandboxed operation then,when a user purchases the program, the program could be dropped inaltitude to 0 or some other altitude. Advantageously, lowering thealtitude need not involve additional downloads, and can be accomplishedwith relative speed. Lowering the altitude of resources may be referredto as a dynamic altitude change.

FIG. 11 depicts a flowchart 1100 of an example of a method forresponding to a request for a resource in a multi-altitude system. Inthe example of FIG. 11, the flowchart 1100 starts at module 1102 where arequest is initiated in association with a process ID for a resourcehaving a resource ID at an initial altitude. In a non-limitingembodiment, the request “enters” the highest altitude and, dependingupon the access controls at the altitude, is disposed of or passed alongto a lower altitude.

In the example of FIG. 11, the flowchart 1100 continues to decisionpoint 1104 where it is determined whether the altitude is 0. Althoughinitially this will not be the case, if it is determined that thealtitude is 0 (1004-Y), the flowchart 1100 continues to module 1106where access is granted at altitude 0. Thus, in those cases where therequest is not disposed of at a higher level, the resource will begranted at the lowest level. Then the flowchart 1100 ends, havinggranted access to the resource at altitude 0.

If, on the other hand, it is determined that the altitude is not 0(1104-N), the flowchart 1100 continues to module 1108 where a process IDand resource ID is looked up in a requestor-specific access controltable for the altitude. In an embodiment, each altitude has anassociated selective hook table that may include the requestor-specificaccess control table. The process ID should uniquely identify a processrunning on or through a local machine. The resource ID should uniquelyidentify a resource in a known or convenient manner. The process ID,resource ID, and altitude, considered together, are associated with anaccess control for the resource.

In the example of FIG. 11, the flowchart 1100 continues to decisionpoint 1110 where it is determined whether the access control is“accept.” If it is determined that the access control associated withthe request is “accept” (1110-Y), the flowchart 1100 continues to module1112 where the resource ID is looked up in a resource-specific accesscontrol table for the altitude. The resource-specific access controltable may also be considered part of the selective hook table. Theresource-specific access control table has requestor-agnostic securityrules for each resource. For example, some resources at the givenaltitude may grant find access (allowing a requestor to know that theresource exists, and perhaps where, but not be able to access theresource itself), read-only access, or write access. Then the flowchart1100 continues to module 1114 where the appropriate access is granted atthe altitude, and the flowchart 1100 ends, having granted theappropriate access to a resource for a request that was accepted.

If, on the other hand, it is determined that the access controlassociated with the request is not “accept” (1110-N), the flowchart 1100continues to decision point 1116 where it is determined whether theaccess control is “pause.” If it is determined that the access controlis “pause” (1116-Y), the flowchart 1100 continues to module 1118 wherean altitude-specific procedure is executed. Advantageously, this mayenable the insertion of ads, intermissions, or other interruptions in arunning program. If, on the other hand, it is determined that the accesscontrol is not “pause” (1116-N), the flowchart 1100 continues todecision point 1120 where it is determined whether the access control is“pass through.”

If it is determined that the access control is “pass through” (1120-Y),the flowchart 1100 continues to module 1122 where the altitude isdecremented, then the flowchart 1100 continues to decision point 1104 asdescribed previously. In this way, access control may be checked at alower altitude. Since lower altitudes are increasingly more public, thismay eventually result in a granting of access, as described previously.In the example of FIG. 11, only a few access controls are described. Ifnone of the access controls are granted, then the flowchart 1100continues to module 1124 where the request is denied, and the flowchart1100 ends having refused to grant access to the requested resource. Itmay be noted that “deny” may also be an access control, and in any caseis effectively an access control.

FIG. 12 depicts a conceptual diagram 1200 illustrating how a publishedaccess control table is used to create a runtime access control table.The diagram 1200 includes a published table 1202, a runtime table 1204,and a runtime function 1206. The published table 1202 includes aresource ID 1208, an altitude 1210, access control rules 1212, a fileobject 1214, a path 1216. The runtime table 1204 includes the resourceID 1208, the altitude 1210, a process ID 1218, and access control rules1220.

During runtime, the runtime function 1206 builds the runtime table 1204from the published table 1202 and, typically, other data. In the exampleof FIG. 12, the resource ID 1208 and the altitude 1210 are representedin both the published table 1202 and the runtime table 1204. The accesscontrol rules 1212 (of the published table 1202) and the access controlrules 1218 (of the runtime table 1204), however, may be different. Thefile object 1214 and the path 1216 are used to identify whether a givenprocess ID is for an applicable application. For example, a company thatprovides virtualized applications for a computing device may onlyprovide access control for programs with which it is associated or thatit is providing to the computing device.

In an embodiment, the access control rules 1212 and the access controlrules 1218 are the same if the process ID 1220 is associated with anapplicable application. However, if the process ID is not associatedwith an applicable application, the access control rules may be set to“pass through” or some other default access control rule.

In a system that includes altitudes, the various altitudes may representany of a number of different security levels. For example, in atwo-altitude system, altitude 0 may represent the physical layer andaltitude 1 may represent a virtualization layer. In a three-altitudesystem, altitude 0 may represent the physical layer, altitude 1 a publiclayer (partially sandboxed), and altitude 2 a private layer (fullysandboxed). In this implementation, the public altitude may be referredto as an “integrated” layer, and the private altitude may be referred toas an “isolated” layer. Other implementations may include an adaltitude, an emulation altitude, or some other altitude.

Advantageously, an ad altitude may capture requests as they pass from ahigher altitude toward a lower altitude, and pause the request longenough to play an ad. An emulation layer may capture requests associatedwith, for example, a Mac (on a PC) and dispose of the request on theemulation layer. It should be noted that these layers can be integratedinto the system as a whole, right down to the physical layer.

Some portions of the detailed description are presented in terms ofalgorithms and symbolic representations of operations on data bitswithin a computer memory. These algorithmic descriptions andrepresentations are the means used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of operations leading to adesired result. The operations are those requiring physicalmanipulations of physical quantities. Usually, though not necessarily,these quantities take the form of electrical or magnetic signals capableof being stored, transferred, combined, compared, and otherwisemanipulated. It has proven convenient at times, principally for reasonsof common usage, to refer to these signals as bits, values, elements,symbols, characters, terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the following discussion,it is appreciated that throughout the description, discussions utilizingterms such as “processing” or “computing” or “calculating” or“determining” or “displaying” or the like, refer to the action andprocesses of a computer system, or similar electronic computing device,that manipulates and transforms data represented as physical(electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantitieswithin the computer system memories or registers or other suchinformation storage, transmission or display devices.

Techniques described herein may relate to apparatus for performing theoperations. This apparatus may be specially constructed for the requiredpurposes, or it may comprise a general purpose computer selectivelyactivated or reconfigured by a computer program stored in the computer.Such a computer program may be stored in a computer readable storagemedium, such as, but is not limited to, any type of disk includingfloppy disks, optical disks, CD-ROMs, and magnetic-optical disks,read-only memories (ROMs), random access memories (RAMs), EPROMs,EEPROMs, magnetic or optical cards, or any type of media suitable forstoring electronic instructions, and each coupled to a computer systembus.

The algorithms and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general purposesystems may be used with programs in accordance with the teachingsherein, or it may prove convenient to construct more specializedapparatus to perform the methods of some embodiments. The requiredstructure for a variety of these systems will appear from thedescription below. In addition, the techniques are not described withreference to any particular programming language, and variousembodiments may thus be implemented using a variety of programminglanguages.

Terms and examples described above serve illustrative purposes only andare not intended to be limiting. As used herein, the term “embodiment”means an embodiment that serves to illustrate by way of example but notlimitation.

It will be appreciated to those skilled in the art that the precedingexamples and embodiments are exemplary and not limiting to the scope ofthe invention. It is intended that all permutations, enhancements,equivalents, and improvements thereto that are apparent to those skilledin the art upon a reading of the specification and a study of thedrawings are included within the true spirit and scope of the invention.It is therefore intended that the following appended claims include allsuch modifications, permutations and equivalents as fall within the truespirit and scope of the present invention.

What is claimed is:
 1. A method comprising: displaying resources;providing altitude stored in a table for a set of the resources;providing access control rules stored in the table for the set ofresources at the altitude; providing a file object and a path in a tableentry of the table associated with a resource of the set of resources,wherein the table entry further includes the altitude and an accesscontrol rule of the access control rules; receiving at runtime a requestfor the resource from an application having a process ID; determiningwhether the process ID is associated with the file object and the path;if it is determined that the process ID is associated with the fileobject and the path: populating a runtime table with the altitude, theaccess control rule, and the process ID; if it is determined that theprocess ID is not associated with the file object and the path: settingthe access control rule to a Pass Through access control rule;populating the runtime table with the altitude, the Pass Through accesscontrol rule, and the process ID; providing security settings for theset of resources at the altitude.
 2. The method of claim 1, wherein theresources include files and registry keys, further comprising:determining a current altitude, wherein the current altitude isrepresented as a whole number; setting up selective hooks for files atthe current altitude in accordance with the altitude for files of theset of resources where the altitude equals the current altitude, whilethe current altitude is greater than zero.
 3. The method of claim 2,further comprising, while the current altitude is greater than zero,setting up registry hooks for registry keys at the current altitude inaccordance with the altitude for registry keys of the set of resourceswhere the altitude equals the current altitude.
 4. The method of claim2, further comprising, while the current altitude is greater than zero,simulating an environment at the current altitude.
 5. The method ofclaim 2, further comprising, while the current altitude is greater thanzero, decrementing the current altitude.
 6. The method of claim 1,further comprising, when the altitude is zero: writing files to asystem; changing a registry of the system; updating environmentvariables of the system.
 7. The method of claim 1, further comprising:initiating a request in association with a process ID for a resourcehaving a resource ID at a first altitude; looking up the process ID andthe resource ID in a requestor-specific access control table for thefirst altitude to determine access control.
 8. The method of claim 7,further comprising: looking up the resource ID in a resource-specificaccess control table for the first altitude to determine file accesstype; granting access of the file access type to the resource at thefirst altitude if the access control is Accept.
 9. The method of claim7, further comprising executing an altitude-specific procedure if theaccess control is Pause.
 10. The method of claim 7, further comprising:decrementing the first altitude, yielding a second altitude; looking upthe process ID and the resource ID in a requestor-specific accesscontrol table for the second altitude to determine access control if thesecond altitude is greater than zero; granting access at altitude zeroif the second altitude is zero.
 11. The method of claim 7, furthercomprising denying the request if the access control is Deny.
 12. Asystem comprising: at least one processor; memory storing instructionsconfigured to instruct the at least one processor to perform: displayingresources; providing altitude stored in a table for a set of theresources; providing access control rules stored in the table for theset of resources at the altitude; providing a file object and a path ina table entry of the table associated with a resource of the set ofresources, wherein the table entry further includes the altitude and anaccess control rule of the access control rules; receiving at runtime arequest for the resource from an application having a process ID;determining whether the process ID is associated with the file objectand the path; if it is determined that the process ID is associated withthe file object and the path: populating a runtime table with thealtitude, the access control rule, and the process ID; if it isdetermined that the process ID is not associated with the file objectand the path: setting the access control rule to a Pass Through accesscontrol rule; populating the runtime table with the altitude, the PassThrough access control rule, and the process ID; providing securitysettings for the set of resources at the altitude.
 13. The system ofclaim 12, wherein the resources include files and registry keys, furthercomprising: determining a current altitude, wherein the current altitudeis represented as a whole number; setting up selective hooks for filesat the current altitude in accordance with the altitude for files of theset of resources where the altitude equals the current altitude, whilethe current altitude is greater than zero.
 14. The system of claim 13,wherein the instructions are further configured to instruct the at leastone processor to perform, while the current altitude is greater thanzero, setting up registry hooks for registry keys at the currentaltitude in accordance with the altitude for registry keys of the set ofresources where the altitude equals the current altitude.
 15. The systemof claim 13, wherein the instructions are further configured to instructthe at least one processor to perform, while the current altitude isgreater than zero, simulating an environment at the current altitude.16. The system of claim 13, wherein the instructions are furtherconfigured to instruct the at least one processor to perform, while thecurrent altitude is greater than zero, decrementing the currentaltitude.
 17. The system of claim 12, wherein the instructions arefurther configured to instruct the at least one processor to perform,when the altitude is zero: writing files to a system; changing aregistry of the system; updating environment variables of the system.18. The system of claim 12, wherein the instructions are furtherconfigured to instruct the at least one processor to perform: initiatinga request in association with a process ID for a resource having aresource ID at a first altitude; looking up the process ID and theresource ID in a requestor-specific access control table for the firstaltitude to determine access control.
 19. The system of claim 18,wherein the instructions are further configured to instruct the at leastone processor to perform: looking up the resource ID in aresource-specific access control table for the first altitude todetermine file access type; granting access of the file access type tothe resource at the first altitude if the access control is Accept. 20.The system of claim 18, wherein the instructions are further configuredto instruct the at least one processor to perform executing analtitude-specific procedure if the access control is Pause.
 21. Thesystem of claim 18, wherein the instructions are further configured toinstruct the at least one processor to perform: decrementing the firstaltitude, yielding a second altitude; looking up the process ID and theresource ID in a requestor-specific access control table for the secondaltitude to determine access control if the second altitude is greaterthan zero; granting access at altitude zero if the second altitude iszero.
 22. The system of claim 18, wherein the instructions are furtherconfigured to instruct the at least one processor to perform denying therequest if the access control is Deny.
 23. A system comprising aprocessor, further comprising: means for displaying resources; means forproviding altitude stored in a table for a set of the resources; meansfor providing access control rules stored in the table for the set ofresources at the altitude; means for providing a file object and a pathin a table entry of the table associated with a resource of the set ofresources, wherein the table entry further includes the altitude and anaccess control rule of the access control rules; means for receiving atruntime a request for the resource from an application having a processID; means for determining whether the process ID is associated with thefile object and the path; means for populating a runtime table with thealtitude, the access control rule, and the process ID if it isdetermined that the process ID is associated with the file object andthe path; means for setting the access control rule to a Pass Throughaccess control rule if it is determined that the process ID is notassociated with the file object and the path; means for populating theruntime table with the altitude, the Pass Through access control rule,and the process ID if it is determined that the process ID is notassociated with the file object and the path; means for providingsecurity settings for the set of resources at the altitude.